Start messaging today!

Test your Network

The death of opted-in communications in South Africa?

PRESS RELEASE ‐ SOUTH AFRICA ‐ August 2011

By Dr Pieter Streicher, MD of BulkSMS.com

The Protection of Personal Information (POPI) Bill is at serious risk of being
watered down to such an extent that it is rendered ineffective and meaningless
when it comes to preventing consumers from receiving email and SMS spam.

The Bill, which has been under discussion since 2009, sets out to establish the
minimum requirements for the lawful processing of personal information, i.e.
how it is captured, processed and stored by organisations, and gives citizens
legal recourse should their personal information be abused.

Key to the efficiency of the POPI Bill is that it is established on a customer
opting in to receive direct marketing communications from companies, rather
than opting out of communications, as is currently the law under the ECT Act
and the Consumer Protection Act. Unfortunately, careful study of the latest
draft of the Bill and a comparison with the equivalent 1995 European Union Data
Protection Directive shows that the implementation of the opt-in principle in
the POPI Bill is not nearly as strong as it needs to be. The EU Directive is
clearly the basis for the South African Bill, with word-for-word copy-and-paste
similarities, so any differences between the two documents are extremely
revealing about the intentions behind POPI.

I am specifically concerned with the wording of section 10(1) in the 2011 draft
POPI Bill and sub-section 10(1)(f) in particular. This section details the
circumstances under which personal information may be processed. In the POPI
Bill it reads as follows:

Processing is necessary for pursuing the legitimate interests of the
responsible party or of a third party to whom the information is supplied.

The equivalent sub-section (f) of the 1995 EU Directive provides that personal
data may only be processed if:

Processing is necessary for the purposes of the legitimate interests pursued
by the controller or by the third party or parties to whom the data are
disclosed, except where such interests are overridden by the interests for
fundamental rights & freedoms of the data subject which require protection
under Article 1.

Section 10(1)(f) of the POPI Bill has quite clearly been materially copied from
the EU Directive, but with a significant omission. The EU law balances the
legitimate interests of an organisation with the fundamental rights of the
individual – in this case article 1 refers to their right to privacy with
respect to the processing of personal information. The South African draft does
not balance the rights of the company with individual rights.

This is problematic as it sets a far lower barrier for companies capturing
personal information. It is likely that direct marketers will regard the
collection of consumer data as a legitimate business interest, especially since
section 66(2) gives them the right to contact any consumer at least once. This
potentially opens the door for companies to scrape the internet for any
personal details – irrespective of the reason the details were published by the
individual in the first place. So, the classified advert you placed to sell
your car that included a cell number and email address could result in your
details being added to a direct marketing list.

In 2009, the South African Law Commission produced an 860-page report on the
draft Bill in which it states that it should be considered illegal to collect
personal information from the internet without the individual knowing.
Unfortunately, if the revised 2011 wording of the Bill stands, those original
intentions are now going to be of little value when the Bill becomes law.

This is especially alarming when one looks at another dilution of the POPI Bill
that I have mentioned above and highlighted previously. Possibly as a result of
lobbying by direct marketers, an additional clause was added to the Bill that
allows companies to approach non-clients via an unsolicited email or SMS, and
ask them if they would like to receive future marketing communications, thus
building an opted-in database.

This is concerning because it begs the question where the company got the
contact details in the first place. Also, it would be very easy to include a
marketing message in the initial communication. Finally, what is to stop a
company changing its identity and simply sending the message again in another
guise? If the customer gives consent in the first place, then the original
wording of the Bill - before this addition was made - is enough to both protect
consumers and allow business to continue with legitimate direct marketing to
non-customers.

Around the world it is considered best practice to base direct marketing on
robust opt-in principles. In my opinion the EU Directive hits the nail on the
head, and both the UK and Australian Direct Marketing Associations’ guidelines
support opt-in principles. Spam simply does not make sense: at best, your
message will be ignored, but more than likely your business will be named and
shamed publicly thanks to the rise of social media.

I’d urge those drafting the POPI Bill to revisit the Law Commission report,
remind themselves of the original intentions of the Bill, and redraft the
relevant sections accordingly. Businesses and consumers need to become aware of
the implications of the latest changes to the Bill as it winds its way towards
becoming law.